Head of Marketing
Although the two bodies of the legislature are independent, they are closely related and meant to complement each other. GDPR references how personal data is collected and stored whereas ePrivacy references how personal data are communicated electronically and how non-personal data are managed.
The original directive of ePrivacy was intended to be limited to email and SMS messaging but has since been expanded to address data privacy within other communications platforms such as WhatsApp, Skype, Facebook Messenger and so on. Financial institutions already implement secure and encrypted communications with their clients and generally don’t rely on these platforms. However, the ePrivacy regulations around metadata (which is the data describing the data packets being transported), is now a factor to be considered as it affects all modes of communication.
Whereas GDPR is focused on personal data, ePrivacy includes non-personal data such as cookies and presides over the confidentiality of information. Once enacted, ePrivacy will nullify pre-ticked consent boxes and will require explicit outreach to elicit informed consent. In essence, banks will now need to report on how the data that’s tracking the customers’ personal data is being used, then share that information with customers in simple terms to ensure understanding. This becomes tricky for financial institutions which must now annotate and track each transaction by every client, which includes cash transfers between clients and institutions. The result is an exponential volume of related data. Requirements also include separate provisioning of social security numbers, credit scores, account numbers, and contact coordinates to make it difficult for cyber thieves to reconstruct personals profiles in the event of a breach.
De-identification and detailed processes of how this information is kept confidential must be expressed in explicit detail. Specifically, this restricts a bank from informing a named third party about your spending habits – unless you consented to do so.
Securing explicit consent is challenging enough. Ensuring that you have designed a system that will protect the integrity of the data collected and dispose of it, and all of its associated metadata, when a customer demands that you do so is more complicated. This Data Erasure or “right to be forgotten” requirement will be highly problematic. Case in point, consider all the bank accounts that you’ve held at various financial institutions over your lifetime, how many different vendors you’ve paid through electronic credit or debit transactions, and how many employers and clients have paid you … the complexity is mind-blogging. The data volumes are nearly unfathomable.
Exacerbating the problem is that financial institutions have legacy systems that are difficult to update. Thus far, the industry has been slow to adopt digital transformation and migrate from a server-based to a cloud-based architecture, so a lot of personal information is tethered and not broadly accessible. Some banks have created data lakes but this strategy is also problematic because cyber thieves can now harvest everything from one place if they can penetrate the security measures. Additionally, given the high rate of M&A within the field and the frequent closure of brick and mortar retail banks, accurately pinpointing the location and journey of a specific data point is non-trivial. However, doing so will soon be required.
New and specific policies, practices, and procedures will be separately required to manage the multitude of financial transaction types. These include fraud detection, customer segmentation, personalized marketing, risk management, wealth management, and so on. Since most customers engage in most if not all transaction types, financial institutions will need to map out all touchpoints and the journey of each piece of data – plus its metadata. Detailing how information is exchanged internally and externally to enable each of these types of transactions and all of the combinations of transactions is a mammoth task. In short, doing so rapidly becomes a hyper-combinatorial problem.
Consumers will soon have greater control over their data, who uses it, and how and when it’s used. However, this has spawned a ripple effect. At first, it was only companies transacting in the EU. Since then, all 50 US states have imposed their own data privacy regulations. Some, like South Carolina and New York, have additional requirements targeting insurance data. Other states, like Vermont, are in the process of regulating how vendors access and utilize customer data. Lawmakers are currently exploring a unified legislature through a national framework in an effort to control how companies profit from consumer data.
On March 12, 2019, the EDPB issued guidance on the interplay between ePrivacy and GDPR. Specifically, any violations of ePrivacy rules are admissible when assessing GDPR fines, so long as the same governing body presides over both pieces of legislation. Earlier this summer, the California Consumer Privacy law was enacted and will be enforceable by this time next year. Ripples are still being felt across all financial institutions as a result of the Equifax breach which has since imposed additional data confidentiality assessments and controls on all affected customer accounts.
Fines are the simplest part to manage. So is the requirement to notify customers of a breach within 72h and assign a Data Protection Officer. However, defining the rules of engagement with third-party vendors is challenging. The tough part comes in “Privacy by Design” which references the deliberate design of enhanced data privacy infrastructure with robust security and protection technology. Systems must render it difficult for cyber thieves to assemble data into meaningful and related packets corresponding to individuals, their financial assets, and their identifiers.
Although the enactment of the proposed ePrivacy regulations has been stalled, there appears to be some recent movement towards resolution. Currently, both tech giants and banks are lobbying hard against the complex requirements. But, it’s probably only a matter of time before financial institutions are fined, mandated to change their practices, or be forced to cease operations. The best path forward is to begin adopting these regulations now, before they become enforceable.